Integrating Dependabot with Mergify

Dependabot helps you keep your dependencies up-to-date by automatically opening pull requests for outdated dependencies. When combined with Mergify, you can automate parts of the process even further, ensuring your projects stay current with minimal manual intervention.

There are two primary ways to automate the merging of Dependabot PRs with Mergify:

You can set up a queue rule to automatically enqueue Dependabot PRs into the merge queue using autoqueue.

queue_rules:
  - name: default
    autoqueue: true
    queue_conditions:
      - author = dependabot[bot]

If you have GitHub’s branch protection set up to require approvals, you can use Mergify to automatically approve Dependabot PRs.

pull_request_rules:
  - name: Automatically approve Dependabot PRs
    conditions:
      - author = dependabot[bot]
    actions:
      review:
        type: APPROVE

Dependabot provides specific labels for the type of dependency update, such as dependabot-dependency-name, dependabot-dependency-type, and dependabot-update-type. You can use these in your queue rule conditions to filter which Dependabot PRs to auto-merge. For instance, you might only want to auto-merge minor version bumps:

queue_rules:
  - name: default
    autoqueue: true
    merge_method: merge
    queue_conditions:
      - author = dependabot[bot]
      - dependabot-update-type = version-update:semver-minor

For projects where there are frequent updates to a large number of small libraries, it’s efficient to batch these updates together. Using Mergify’s merge queue feature, you can automatically batch and test these updates together, reducing CI load and ensuring compatibility.

For example, you could set up a merge queue to batch those PRs 10 by 10:

queue_rules:
  # If you have other queue rules defined, add this at the end so it is processed last
  - name: dep-update
    autoqueue: true
    batch_size: 10
    # Wait for up to 30 minutes for the batch to fill up
    batch_max_wait_time: 30 min
    queue_conditions:
      - author = dependabot[bot]

By default, Dependabot will try to rebase its pull requests every time there’s a new commit to the main branch. In high-velocity projects with a lot of update, this can lead to unnecessary CI runs. It’s recommended to disable Dependabot’s automatic rebase feature and instead rely on Mergify to queue and merge these updates efficiently.

To disable automatic rebasing in Dependabot, use the rebase-strategy settings and turn off automatic rebase.

version: 2
updates:
  - package-ecosystem: "npm"
    directory: "/"
    schedule:
      interval: "weekly"
    # Disable rebasing for npm pull requests
    rebase-strategy: "disabled"

If you use Mergify features that require a MERGIFY_TOKEN in your GitHub Actions workflows — such as CI Insights or Scopes — you need to add the token to your Dependabot secrets in addition to your regular GitHub Actions secrets.

Dependabot workflows run in a restricted environment and cannot access regular GitHub Actions secrets. Without this extra step, any workflow triggered by a Dependabot pull request will fail to authenticate with the Mergify API.

To configure it:

1. Go to your repository Settings → Secrets and variables → Dependabot.

2. Click New repository secret.

3. Set the name to MERGIFY_TOKEN and paste the same application key you use in your GitHub Actions secrets.

With Mergify and Dependabot working together, you can ensure your project’s dependencies are always up-to-date with minimal effort, ensuring a smooth and efficient update process.